From owner-freebsd-questions  Tue May 28 15:12:04 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA06576
          for questions-outgoing; Tue, 28 May 1996 15:12:04 -0700 (PDT)
Received: from who.cdrom.com (who.cdrom.com [204.216.27.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA06522
          for <questions@freebsd.org>; Tue, 28 May 1996 15:11:51 -0700 (PDT)
Received: from mistery.mcafee.com (jimd@mistery.mcafee.com [192.187.128.69])
          by who.cdrom.com (8.6.12/8.6.11) with ESMTP id KAA06576
          for <questions@FreeBSD.org>; Tue, 28 May 1996 10:12:34 -0700
Received: (from jimd@localhost) by mistery.mcafee.com (8.6.11/8.6.9) id KAA18866; Tue, 28 May 1996 10:31:06 -0700
From: Jim Dennis <jimd@mistery.mcafee.com>
Message-Id: <199605281731.KAA18866@mistery.mcafee.com>
Subject: Re: kernel file permissions
To: jrclark@felix.iupui.edu (John Clark)
Date: Tue, 28 May 1996 10:31:06 -0700 (PDT)
Cc: questions@freebsd.org
In-Reply-To: <2.2.32.19960528110438.0030d694@felix.iupui.edu> from "John Clark" at May 28, 96 10:59:46 am
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> 
> Hello,
>  
> I was looking at the default kernel permissions...  Is there any need to
> have them so open?  Why should there be read and execute permissions for the
> "other" group?  I suppose, you could reverse that question on me: "why not
> let everyone read and execute it?"
> 
> Anyway, it seems to work great like this:
> 
> -r--------   1 root  wheel   705521 May 21 12:33 kernel
> -r--------   1 root  wheel  1139171 May 18 12:15 kernel.gen
> 
> Call me anal, but this seems much more desirable.  If someone knows of a
> reason why the above permissions may be bad (ie. different run levels?),
> please let me know -- but it works just fine as far as I can tell.

	Some debuggers and/or some diagnostics might need to read
	the kernel to look for some data structures.  Linux has a 
	/System.map for some reason.

	However I run my Linux and FreeBSD systems with read-only
	kernels.  I see no security benefit to non-readable kernel
	(particularly as the src tree usually must be at least 
	"group" readable).

	I also add 'chflags syschg' to that -- so it's harder for
	me to damage a kernel file (or any of my libs, or bins)
	even when I'm su'd to 'root'

Jim Dennis,
System Administrator,
McAfee Associates